This is a kind of documentation or walks thought of my work, which can be called a DevSecOps diary.

Install istio with istio operator and profiles with Helm Chart.

Istio changed so frequently, every new release has some surprise.

In a previous post, I have already created a k8s cluster and now experimenting with istio 1.6.3.

Let’s install a Standalone Operator Install with helm chart first. So I do create a new branch from my previously created repository. checkout to a new branch install-istio-with-istio-operator-helm-chart.

git clone https://github.com/nahidupa/k8s-eks-with-terraform.git
git checkout -b install-istio-with-istio-operator-helm-chart

Create a new folder name “istio” in root and put that in git ignore. Use the following command which is taken from istio documentation.

$ curl -L https://istio.io/downloadIstio | sh -

Have a look at what inside the downloaded items.

Items inside Istio download

Now check the values.yaml

Items inside Istio download

Huh, Look like nothing need to configure here, Because it’s operator it should be smart!

Now let’s make the terragrunt.hcl for istio install.

istio terragrunt hcl

At this moment I do add an option to specify the namespace in my previously created helm shared modules.

main.tf
resource "helm_release" "local" {
  name       = var.name
  chart      = var.charts 
  namespace  = var.namespace //new
}

vars.tf

variable "namespace"{
    description = "(Optional) The namespace to install the release into. Defaults to default"
    default = "default"
}

Notes: Do not create any namespaces, or specify any namespaces, that can bring the following error. istio operator will create namespaces itself.

Error: rendered manifests contain a resource that already exists. Unable to continue with install: Namespace "istio-operator" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata; label validation error: missing key "app.kubernetes.io/managed-by": must be set to "Helm"; annotation validation error: missing key "meta.helm.sh/release-name": must be set to "istio-operator-1.6.3"; annotation validation error: missing key "meta.helm.sh/release-namespace": must be set to "istio-operator"

  on main.tf line 7, in resource "helm_release" "local":
   7: resource "helm_release" "local" {

However, We need to adjust values.yaml with proper values we want. Let’s copy the values.yaml file from istio-1.6.3/manifests/charts/istio-operator/Chart.yaml

istio helm docs

And following changes is the values.yaml

hub: docker.io/istio
tag: 1.6.3
operatorNamespace: istio-operator
istioNamespace: istio-system

Now it’s time to apply the changes.

terragrunt apply

This will install the istio operator. Let’s verify the installation.

~ kubectl get pod -n istio-operator
NAME                              READY   STATUS    RESTARTS   AGE
istio-operator-8494bc7758-zx7qk   1/1     Running   0          17s

The next step is, We need to create a profile for istio. In istio packages, some example profiles can be found istio-1.6.3/manifests/profiles.

At this moment the terraform official provider does not support apply any ad-hoc YAML file to the cluster.

There is a third-party provider like kubectl can be used with resource  kube_manisfrest support to apply add-hoc YAML.

Terraform released a new provider recently that is in an alpha stage now. To know about that more check.

The requirement for this is, we have to upgrade my k8s cluster to 1.17. Current EKS(Today is 1, July 2020) also does not support 1.17 yet. Maybe in the future, we can use that.

So, I do use a different way to apply istio profile with terraform. I do create a helm chart, then use the helm provider to install the istio profile.

For simplicity, I do only add “default.yaml” that is for creating istio profile, and “namespace.yaml” to created istio-system namespace in the helm chat. “values.yaml” is to control the parameters of the chart.

istio profile helm chart

Time to apply this simple helm chart to the cluster.

istio-profile-hcl

Let’s verify the istio installation.

~ kubectl get pod -n istio-system
NAME                                    READY   STATUS    RESTARTS   AGE
grafana-5dc4b4676c-hmxmt                1/1     Running   0          104m
istio-ingressgateway-5855454469-c8rgf   1/1     Running   0          104m
istiod-6dd6b5b5b6-dkznt                 1/1     Running   0          104m
prometheus-d8b7c5949-mln6x              2/2     Running   0          104m

Nice, All components are running. let’s check the Grafana dashboard.

kubectl port-forward service/grafana 3000:3000 -n istio-system

istio grafana

It’s time to tag the shared repo and commit.

git tag v0.0.3
git push origin --tags

Use proper path/ref in terragrunt code.

  source = "git::https://github.com/nahidupa/terraform-shared-modules.git//modules/helm3-local-chart?ref=v0.0.3"

Also, it’s time to do some integration tests.

~ cd k8s-eks-with-terraform/dev/ap-southeast-1
# Clear cache
~ find . -type d -name ".terragrunt-cache" -prune -exec rm -rf {} \;

terragrunt plan-all

git push --set-upstream origin helm-chart

EOF.